Vulnerability Assessment With Nessus Home - Part 1

Part One of a Two-Part series

Introduction

If you work in the field of Information Technology, you have probably heard of Vulnerability Assessment (VA). VA is a process of identifying security vulnerabilities in a system. It is recommended that you conduct a VA against your organization's network every quarter, and if your organization follows certain policy and standards, such as PCI DSS, VA is a requirement. However, organizations should not be the only ones conducting VAs against their network; average home users should also conduct vulnerability assessment against their network. In this blog, I will guide you through the process of performing a VA against your network using Nessus Home.

What Is Nessus?

Nessus is a vulnerability scanner developed by Tenable and there are two versions of it: Nessus Home and Nessus Professional. Basically, the major differences between the two are that you can only scan up to 16 IP addresses per scanner, and you won’t be able to perform compliance checks and content audits with Nessus Home. Most average users will not have more than 16 systems, and there is no need to run compliance checks or content audits on your home systems.

Vulnerability assessments are typically done by running authenticated scans, which means the scanner will authenticate against the systems its scanning. The scan will then come back with much more detailed information about a system. With Nessus, you can perform authenticated scans against different operating systems such as Windows, Linux, and Mac OS via different methods such as SMB, SSH, SNMP, Telnet, etc.

Installing and Setting Up Nessus

For demonstration purposes, I will walk you through the process of installing and setting up Nessus and performing an authenticated scan against Windows 10.

To use Nessus, you need to obtain an activation code on Tenable's website, which is (https://www.tenable.com/products/nessus-home). Use your name and email address, and the code will be sent to your email.

Registering for an Activation Code

 

Emailed Activation Code

Once you receive your code, go to this page (https://www.tenable.com/downloads/nessus) and download Nessus. Choose the appropriate package. In my case, I'm going to download the package for Windows 10 (64-bit).

Downloading Nessus

Install Nessus. During the installation, Nessus will install a tool called WinPcap, which will allow Nessus to capture live network traffic. Check Automatically start the WinPcap driver at boot time option and install WinPcap.

Nessus installer

 

Nessus Setup Wizard

 

Select the start the WinPcap driver at boot option

Nessus runs on TCP Port 8834 on your local machine. To access the web console, open a browser and navigate to https://localhost:8834. Once the installation is complete, your default browser will open, and it will ask you to connect via SSL. Click Connect via SSL and your browser will display a warning saying that the certificate cannot be trusted. This is normal since Nessus uses a self-signed certificate. Proceed by clicking Go on to the webpage (Different browsers will have different wording, but they will give you an option to accept the risk and proceed).

Welcome to Nessus!

 

Certificate Warning, Select Go on to the webpage

Create your account. Make sure you use a strong password! Once you create an account, you will be asked to enter your activation code that was sent to your email. After you enter the code and click Continue, Nessus will start to set up the plugins and other files that it needs to perform a scan. This process will take a while so take a break and come back in an hour or so. After the setup is complete, you’ll be greeted by the web console.

Creating a Nessus account

Registering the scanner

Initializing Nessus

Nessus using Localhost and Port 8834

You can create a new scan by clicking New Scan on the upper right corner. You’ll see that certain templates aren’t available until you upgrade to Nessus Professional, but you still have access to templates such as Advanced Scan, Basic Network Scan, Host Discovery, Malware Scan, Spectre and Meltdown, and WannaCry Ransomware. It is straight forward to use these templates; you give it the IP addresses you want to scan, and credentials if you want to perform the recommended authenticated scan. Setting up a scan and properly performing an authenticated scan will be covered in Part II.

Listing of Scan Templates for Nessus

Useful Tips and Tricks

Now, I would like to share how some tips and tricks that I’ve acquired using Nessus for about a year. This is a personal preference, so you do not have to follow my suggestions. It will involve tweaking some settings and if you don’t want to, that’s fine. It won’t affect the performance of the Nessus scans.

By default, Nessus will automatically start and run in the background on boot on Windows. I don’t like how it’s running when I don’t need it (On Linux, Nessus does not start automatically by default and you need to start it manually, which is what I prefer!). In order to prevent Nessus starting on boot, open Services and find Tenable Nessus on the list. You will see that it is set to Automatic. To change this, right click on it and set Startup type to Manual. Nessus won’t start on boot anymore and you’ll have to manually start/stop it. To do so, open a Command Promptor PowerShell and type net stop/start “Tenable Nessus”.

Windows Services

Configuring Nessus to manual start using Windows Services

Net Start/Stop of Nessus

According to Tenable, they release more than 100 plugins weekly. This means that you will have to update Nessus frequently in order to use those new plugins. If there is an update available, Nessus will let you know when you log into the GUI. However, I prefer updating it from the command line. To do this, open a Command Prompt or PowerShell as an administrator and navigate to C:\Program Files\Tenable\Nessus directory. Once you are there, type .\nessuscli.exe update –all (.\ is not needed if you are doing this from the Command Prompt). Nessus will download the updates from nessus.org. Make sure to restart Nessus after you update it.

Nessus Directory

 

Nessus Update from command line

Lastly, Nessus rates the findings with its severity levels: Critical, High, Medium, Low, and Informational. Prior to Nessus v8, it listed the findings by severity but now it “groups” certain findings. I find this feature not very helpful and annoying, so I disabled it right away. To do so, click on Settings next to Scans, go to Advanced, and type groups. This will return two settings: Use Mixed Vulnerability Groups and Use Vulnerability Groups. Set the values to No. You are welcome.

Nessus Groups

Nessus Advanced Settings

Conclusion

Nessus Home is a great vulnerability scanner that everyone should be using, not just cybersecurity professionals. In this blog, I’ve demonstrated installing and setting up Nessus on Windows. In Part II, I will demonstrate how to set up an authenticated scan and tweak some settings on Windows to allow Nessus to perform an authenticated scan.

Author Bio

Joseph Choi is a Cybersecurity Analyst with Alpine Security. He holds several security-related certifications, including Certified Ethical Hacker (CEH), EC-Council Certified Security Analyst (ECSA), CyberSec First Responder (CFR), Security+, and Network+. Joseph is a graduate from Truman State University with a B.S. in Business Administration.

Joseph's cybersecurity experience began at Alpine and includes penetration tests, vulnerability assessments, and wireless penetration tests. He was born and raised in South Korea until the age of 10 when he moved to Mexico. It wasn't until 2007 that his family moved to the States where he completed his high school and college education. He is a fan of Mr. Robot, and in his spare time he enjoys spending time with his girlfriend, taking long walks around the park, and going to the gym.

Mr. Robot Walkthrough (Vulnhub)

Source: USA Network

Anyone who is inspired to partake in a challenging course such as the Offensive Security Certified Professional (OSCP), or Licensed Penetration Tester-Master (LPT (Master)), knows that practice makes you a better hacker. Vulnhub is a great resource to find purpose-built virtual machine images to practice on. This image is based on a popular TV show, and we are going to walk through exploiting it together.

The first step in the hacker’s methodology is enumeration, so that is where we will start, with an Nmap scan of our target’s IP.

Nmap scan performing enumeration of the target

We have found a web service, as well as SSH running. We will look deeper at the web service to see if there is anything there that we can take advantage of.

Mr. Robot based scenario - #fsociety

No typical commands work here, so I choose to run Nikto against the server to see if there are any glaring vulnerabilities.

Alright, we can see the directory contents. There is a file there, so let us grab it.

Captured the dictionary file but still need usernames

We've found a dictionary file for a password attack, but we do not have any usernames yet... let us keep looking.

Running Nikto reveals that a WordPress site is being hosted at that IP, which is obviously a high-value target any time we find it.

Nikto is web server scanner which performs comprehensive tests against web servers.

We can jump right in to the WPSCAN and see what we can come up with.

WPSCAN is a WordPress vulnerability scanner.

There are tons of vulnerabilities and I am not positive any are going to lead anywhere, so I will start a brute force on the user "root" while I do some more enumeration.

Brute force attack against the system administrator account or “root”.

Through our Nikto results, we saw a few more pages to check out. At /readme (grammatical mistake is courtesy of the page).

Based on prior WP knowledge, we know that there should be a login page, so let us check it out at /wp-login:

WordPress login page

Now that we have a login page and a dictionary file, let us try to login. This time, we will use WPScan again, and we will use the file as a user file and a pass file. And... we are in.

Successful credentialed login using the dictionary file.

We can do a lot more to the server now that we have credentialed access.

Since the environment I am in does not lend itself to a reverse shell, and I am unable to upload a php file, I must be a bit more creative.

There is a project called the WordPress Exploit Framework (WPXF) that I have not had a chance to play around with, so this might be a good opportunity. After a brief break for configuration and installation, we have WPXF running on Kali.

WordPress Exploit Framework (WPXF)

This worked well, and I was able to find a new user, "robot", and a password of "abcdefghijklmnopqrstuvwxyz". Now we will jump into ssh and see if we can figure the rest of this challenge out.

SSH using robot as the user name

Since we have found 2 of 3, we know there is one more key out there. Now we will try a search using regex to find the file.

Without root access, we are not going to find it, but luckily Doc Sewell just reminded me that Nmap runs as root during our LPT-M class, and I saw that Nmap is present, so we will try to exploit this.

Found key 3 using Nmap

So, that is all there is to this machine. Using the knowledge that we have from the LPT-M and general hacker’s methodology, we were able to easily exploit the box and find all three keys. If you are interested, check out the VM at https://www.vulnhub.com/entry/mr-robot-1,151/ and give it a shot.

Author Bio

John Tagita Jr. is a Sr. Cybersecurity Engineer intern with Alpine Security. He holds a variety of industry certifications including CISSP, GIAC, GCFA, and CCFE. John has a passion for forensic investigations and breach response cases, application security, penetration testing, and blockchain technology. He holds degrees in Information Technology, Cyber Security, and Criminal Justice. John is currently active duty in the US Air Force service as a Cyberwarfare Training Chief.

When John is not working in the cybersecurity arena, you may find him developing Capture the Flag competitions, such as Hacktober or Hack The Arch, or competing himself. He also is passionate about security research and networking with other like-minded hackers. John loves spending the rest of his down-time with his beautiful wife and his four devilishly handsome sons.

Link up with John on social media at https://twitter.com/attackd0gz on Twitter, and https://www.linkedin.com/in/netsecspecialist on LinkedIn.

Incident Response Plan: The Tool You Hope You Never Need

It’s no question that in cybersecurity, defense is the best offense. In the constantly changing threat landscape, the tie often goes to the attacker, and businesses are forced to act like turtles putting up shells of security to ward off threats.  That is not always a bad thing; using a well-constructed defense- in- depth plan can greatly limit the likelihood of a successful attack.  I would like to believe we can get to a 99.99% level of security.  Even if that were true, that extra .01% keeps me up at night. What do we do if the controls fail? How do we respond then? What do we do the other 1% of the time? Once we find out that our emails have been hacked, or our money has been stolen is not the time to ask, “what now?” Even worse, what do you do when you suspect that an insider has embezzled funds and the evidence is located on their computer? Though we invest in and rely on our security controls, it is unfortunately not always enough.  We must have a plan for the .01%.

Those Who Fail to Plan, Plan to Fail.

In the world of cybersecurity, one of the biggest reasons companies find themselves becoming victims is because they fail to plan for their IT growth, especially for security. Often small to medium business put little to no thought into cybersecurity until after they have become a victim. As a business grows the need to protect that growth comes with a lot of hard decisions. Many times, a balance must be struck between expanding revenue, generating sources like equipment, and personnel and infrastructures like email servers and IT staff. Many businesses quickly find themselves outgrowing their IT infrastructure before they even realize it has happened. They often don’t realize they have a problem until a compromise or critical failure takes place.

What’s At Stake?

It is imperative to consider what is at stake.  The answer is possibly more than you think. Recently a client asked me to give them some case studies to show what the costs of not being properly prepared could be. In one case a small business had $1.5M stolen from their bank accounts over a period of three days using a fairly straightforward cyberattack. Within a few weeks, they were forced to lay off employees and file bankruptcy. Other less obvious risks arise that business may not know how to deal with until it is too late. What happens if an employee uses a personal device on the company network for illegal activity? Is the company protected? What if an employee embezzles funds from a partner corporation and millions in contracts are tied up in litigation? What do you do with that employee’s computers and devices? These are the types of situations that we see on a daily basis and represent that .01 % of cases in which one wrong move could mean the difference between liquidation and salvation. Obviously, we cannot plan for everything, but having a well-laid incident response plan and a trained team in place to execute can prevent a lot of grief in the long run.

What is an Incident Response Plan (IRP)?

The goal of an incident response plan is to have an answer prepared for those “what if” situations. The type of situation can vary from a power outage to a data breach, and the depth of the incident response planning should be based on the likelihood of an event taking place and the severity and level of impact if it does. The incident response plan will outline important information about communications during critical events; it may go as far as to outline authority and decision making matrices to ensure that risk is accepted at the appropriate level.

Key Areas to Cover

Incident response planning can be a daunting task at first glance. There is no end to the number of circumstances that can arise. The real key is to outline how to respond to incidents in a methodical manner, as well as identify who is responsible for acting during a crisis (see Incident Response Team below). The process of incident response is generally broken into 6 areas. Specific checklists and policies can be created for known risks, but these same steps can be used when an event you are unprepared for arises.

1.       Preparation – Creating policies and establishing standards for what constitutes an incident. Practicing and conducting drills or exercises to respond to incidents.

2.       Identification/ Detection – Tactics techniques and procedures to detect an incident in progress.

3.       Containment – Taking steps to prevent the spread or continuation of a breach or incident. This could be as simple as segregating a computer from a network or as complex as removing access to major systems.

4.       Eradication – Remove any corrupt or infected files, restore backups, ensure no other systems have been impacted. Restore or replace affected systems.

5.       Recovery – Return all systems to full operation.

6.       Review Lessons Learned – Identifying what went right or wrong from the incident for future use.

These steps may seem simple at first glance but can quickly become complicated. For example, If an IT staff member determines that a website has been infiltrated does that member then have the authority to take the web server offline while further investigation is conducted? How much revenue will be lost during the outage? Will other system be impacted? What are the risks of operating with a potentially compromised system? Outlining how much risk is acceptable and what level of management is responsible for accepting that risk is critical prior to an incident taking place.

Also of note, the preservation of evidence should be kept at the forefront during all of these stages, especially if there are legal or financial implications for the company or its employees. In some cases, evidence can be destroyed or made useless by something as simple as turning off a computer. Therefore training staff on what to do in these situations is so important. If there are any legal or financial implications, it may be worth bringing in a certified digital forensics team to assist with the protection of evidence. If that is a function that doesn’t exist in-house, bringing in an outside cyber forensics team should be part of the IRP.

Incident Response Team (IRT)

An important aspect of incident response planning is the establishment and training of an IRT. The IRT will be the boots on the ground that will lead the efforts during a cyber incident. While they may not do all the work themselves, these will be the key players who will oversee and coordinate the response to cyber incidents. It may be unrealistic to have all staff trained to handle an incident, so having a team of staff identified and trained ahead of time is key to proper indecent handling. The team should be small enough to be agile, as well as contain multidiscipline employees to allow for perspective and cross-functionality. Ideally, the team will be led by the CISO and contain members of the IT staff. It may also be wise to consider having personnel from other business units, especially legal, HR, and public relations.

Practice, Practice, Practice.

Having an incident response plan sounds good on paper (pun intended), but it is important to test the plan on a regular basis. This will ensure that the team is still current on their responsibilities, able to identify holes in the plan, and give you an opportunity to update for any changes since the last time the IRT was practiced or used. I recommend testing IRP at least semiannually and revisiting it anytime major changes are made to the business or its infrastructures.

It’s Dangerous to Go Alone

It’s ok not to be the expert at everything. You are already great at what you do! If you would like help with security control audits, incident response planning, digital forensics, incident response, or any other cybersecurity service, Alpine Security is just a click away. Often it is more cost effective and less stressful to bring in a consulting team to help whip an organization into shape than try and go it alone.

Author Bio

Isaac (on the left) hiking in Vietnam

Isaac Wright is a Cybersecurity Analyst and Trainer with Alpine Security. A veteran of the US Air Force, Isaac has more than 15 years’ experience in electronics maintenance and security.  He holds degrees in Electronics Systems and Education and Training Management as well as a master instructor certification.  Isaac has a long history of maintaining, hacking, modding, and using electronics systems from networks and computers to radios and consumer electronics.  Isaac has leveraged his expertise to advise CIOs in large multi-site organizations on vulnerability management and risk mitigation. 

When not teaching or analyzing network traffic, Isaac loves to play board games with family, fish, camp, and experience everything the world has to offer.  An avid traveler, Isaac has been to more than 15 countries and especially enjoys Asia.

General Data Protection Regulation (GDPR) Overview

The new European Union (EU) Regulation 2016/679 GDPR (General Data Protection Regulation) have gone into effect May 25, 2018. This will have a far-reaching effect and identify many possible repercussions for any organization collecting, processing, and/or storing any EU citizen’s information.  Your company need not be located in any of the EU countries; rather if your company collects any EU citizen’s information, your company must adhere to and be complaint to the new regulation. 

The essential characteristics of the regulation are to protect personal data as a fundamental right and that privacy is to be respected as an expectation of the GDPR. The GDPR creates a greater level of harmonization across the EU for the sharing and exchange of data. Implementation of the GDPR requirements necessitates a greater level of protection of a person’s digital identity. The reason for such an increased worldwide emphasis on compliance is due to the imposed fines that can be applied if you fail to manage the privacy data appropriately. Fines are set at 4% of the noncompliant organization’s global revenue

 

Who is Responsible for GDPR?

There are two specific roles that are defined in the regulations, the first is the data controller and the other position is the data processor. A data controller is the collector of the data for internal or outsourced processing. The expectation is that an individual’s consent is required to collect the information. This role is responsible for documenting the format of how the data is to be utilized throughout its lifecycle within the organization, privacy policies, and the ability to process requests for data portability, rectification, objection, etc. The duties that are required for this role include compliance to protect the data subject’s rights. Examples of data controllers include social media organizations, education institutions, health organizations, banks, etc. If your organization determines how the data is to be processed and the purpose of that processing, this indicates a data controller.

A data processor is a natural or legal person, public authority, agency or other body responsible for managing and storing data on behalf of the controller. Specific clauses within the regulation require the same technical and organizational measures to be applied to the controller as well as the processor. An example would be an outsourced payroll company; the data controller tells the payroll organization who to pay and what amount. If you are not making these decisions and just acting on a request, this indicates a data processor. The required liability flows through the chain of data processing. Specifically, the data controller has liability if a data processor fails to fulfill his obligations.

 

What data is in scope?

Article 4(1) states: “‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Elements of data types could include IP addresses, cookie data, or a photograph associated to an account. In many cases, personal customer data will be in multiple formats and forms in CRMs (Customer Relationship Management systems), contracts, sales contact databases, etc.

 

How CIS can help

Specific to the data controller and the data processor roles, responsibilities are to “implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the regulation.” CIS offers a multitude of best practices and cybersecurity solutions to help organizations on the path to GDPR compliance.

A strong starting point is to utilize a CIS SecureSuite Membership, which includes access to tools such as CIS-CAT Pro and remediation kits, to assess and harden systems. “Hardening” is the process of limiting vulnerabilities in a system to reduce cyber threats. Hardening systems to the CIS Benchmarks™, secure configuration guidelines for over 150 technologies, provides a platform for compliance and is a recognized foundation to build your remaining data infrastructure. Measure system conformance to the CIS Benchmarks with CIS-CAT Pro Assessor, our configuration assessment tool which provides assurance that the target system is hardened to the standard. It is not sufficient to simply state compliance to a particular benchmark – measure and prove it with the dynamic reporting features of CIS-CAT Pro Dashboard. 

If you are working in the cloud, the CIS controls offer pre-hardened virtual machines on the Microsoft Azure Marketplace and Google Cloud Platform (GCP), and Amazon Machine Images (AMIs) on Amazon Web Services in the AWS Marketplace, including the AWS GovCloud (US) region and IC region. CIS Hardened Images conform to the applicable security standards of the CIS Benchmarks, bringing on-demand security to cloud computing environments.

The CIS Controls are a prioritized set of cybersecurity best practices to help organizations improve their security posture. Version 7 of the CIS Controls was released in March 2018 and contains following guidance that can be applied to GDPR compliance. The CIS Controls can serve both as a measurement process to encourage compliance as well as for implementing a security control framework within your organization. In many cases, the entire CIS Controls can be applicable to implement a structured and measured approach to compliance and security for the organization.  GDPR will require a complete understanding and visualization of the data flows for personal information throughout your enterprise. The regulation extends to data controllers and processors. It may seem challenging at first, but with due diligence, documented plans, and help from the cybersecurity resources available from CIS, the road to compliance is achievable.

 

Why is this applicable to companies in the United States?

Why is this applicable to companies in the United States if your company is not doing any business with EU countries? California will soon be implementing the California Consumer Protection Act (CCPA) in July of 2020. California’s CCPA mirrors the EU Regulation 2016/679 for GDPR.  Companies in New York doing business with companies in California and collecting consumer data will be required to meet the CCPA.  Companies need to move forward and begin the process on GDPR compliance. Here are three key areas in which to move ahead with compliance readiness: 

• Analyze, develop, and execute GDPR programs across your organization’s systems, processes, people, and policies

• Make it a team effort - Get all of your relevant teams working together 

• Ensure buy-in from your management to stay on top of GDPR compliance 

GDPR will ultimately lead to companies gathering just enough data from individuals in order to complete any type of conversion, transaction, or order agreement. But the optimistic viewpoint is that with greater clarity of data protection and privacy controls, consumers will become more comfortable with emerging digital practices, and when working with companies, will be able to form trust with these companies to hold their personal information in high regard.

Author Bio

Doug, shredding a solo.

Doug Stewart is a Senior Sales Manager. Doug brings a wealth of experience and is focused on sales and business development activities. Doug strives to help businesses meet the demands of their on-going cybersecurity requirements and helps them be adequately protected against cyber intrusions.

Doug is located in Colorado where he majored in Music and played hockey at Denver University. He played in a highly competitive hockey league for 24 years post college, and coached his children’s soccer and hockey teams for 12 years. Music is still a strong passion which he pursues professionally with his band.  He and his wife are the proud grandparents to three grand kids.

Alpine Security Launches Cyber Infinity Training Program

O’Fallon, IL - Alpine Security (“Alpine”), a leading cybersecurity training, penetration testing, and audit firm, announces the launch of their Cyber Infinity Training Program.

The Alpine Security Cyber Infinity Programs consists of 12 months of unlimited certification training for $9,995. Included in the fee for the Cyber Infinity program are all course materials, remote labs, one exam voucher per class, and the Alpine Security exam pass guarantee. The Alpine Security Exam Pass guarantee allows students to retake a class free of charge if they do not feel ready for the exam after going through the training, or if they do not pass the exam in their first attempt. All Alpine Security’s certification training course offerings are included in the program.

“We are excited to introduce this new addition to our training programs,” says Cecilie Kreiner, Alpine Security’s Director of Training. “Whether new to the field or validating current skills via credentials, we encourage our students to map out their career path. The unlimited training in the Cyber Infinity Program allows you to customize your certification track with your personal career goals in mind. Whether you want to specialize in the offensive or defensive tracks, focus on cybersecurity management or cyber forensics, or create a well-rounded package with a variety of cybersecurity certifications, our wide selection of certification training classes can help you reach your goals.“

Alpine Security offers certification training courses from CompTIA, EC-Council, and (ISC)2, as well as hands-on, technical training in a variety of topics such as Wireshark training and malware analysis. Alpine is a CompTIA Authorized partner and EC-Council Accredited Training Center, and was awarded the EC-Council Best Newcomer of the Year in 2017.

Alpine offers the complete CompTIA Cybersecurity Track, starting with the Core Skills Certification Security+.  The CompTIA cybersecurity track provides a clear path for those starting a career in cybersecurity and for seasoned cybersecurity professionals looking to advance their career by proving their knowledge, skills, and abilities through certifications. Alpine’s EC-Council offerings include Computer Hacking Forensic Investigator (CHFI), Certified CISO, as well as the complete EC-Council Penetration Testing Track, from Certified Ethical Hacker (CEHv10) to LPT Master. Alpine Security’s (ISC)2 course offerings include CISSP and CAP.

For more information on the Cyber Infinity Training Program, please visit: https://www.alpinesecurity.com/training/cyber-infinity-program

ABOUT ALPINE SECURITY

Alpine Security, a Service Disabled Veteran Owned Small Business, offers a comprehensive suite of cybersecurity services and cybersecurity training. Alpine Security’s instructors are all practitioners who work as penetration testers, incident response handlers, forensic analysts, auditors, and more. This allows them to bring practical, real-world, and up-to-date experience into the classroom. Alpine Security mandates continuous training and certifications for everyone on their team, and all trainers have had to pass their rigorous Train-the-Trainer course as well as recurring courses on effective training and communication.

Protecting Internet Communications

Introduction

Today we all communicate constantly over the internet. Some people say we spend too much time on our mobile devices, and we do not interact enough with the world, and with the people around us. However, that is a discussion for another time. In this blog post we want to discuss how we keep our internet communications secure from eavesdropping.

E-Mail

Let us start with the granddaddy of internet communications protocols: E-Mail. Almost before there was any other way of communicating over the internet, there was E-Mail. It ran over a protocol called Post Office Protocol, or POP. The final version of the protocol is POP3. There was only one way to access our email, and that was using an E-Mail client such as Microsoft’s Outlook or Netscape Communicator (old school!) or Eudora (double old school!).

Back in the day there were only a couple of ways to keep your email secure, and that was through encryption. There were a couple of different ways to encrypt email using either a digital certificate or a software suite such as Pretty Good Privacy (PGP). There was also an open source version called Gnu Privacy Guard (GPG).

Both methods are still around and are still effective, although PGP has evolved a bit. It is now owned by Symantec and is part of their Endpoint Security suite solution. Even though the methods for protecting our email communications have evolved, they are still there, and still important. We still send a variety of sensitive information via E-Mail, and we need to protect it.

The easiest way to encrypt our email is to use a digital certificate, also known as a Public Key Certificate .  There are a range of options available to obtain an E-Mail digital certificate which is then installed into your E-Mail client and allows you to sign and encrypt email. The drawbacks are that you must be using a dedicated E-Mail client such as Outlook, Apple Mail, or Mozilla Thunderbird , and the people you are communicating with must also have a digital certificate. The same applies if you are using PGP/GPG. Everyone must be using it for it to be effective.

Fortunately, our E-Mail providers are also looking out for us. Companies like Google and Microsoft that provide E-Mail services use end-to-end transport encryption to help make our communications more secure.

Messaging

All the proceeding brings us to the new kid on the block of internet communications: instant messaging. Or just “messaging” as it’s called now.

Messaging started out on our early mobile phones as text messages, which are not and never were secure. However, today we have a variety of ways we can message each other securely from the Messages app in iOS to Whatsapp to Signal to Slack, etc.

“How are these mobile apps secure?”, I can hear you asking. It is a good question. They all use encryption to make sure no one else can eavesdrop on your messages with your friends, family, and business contacts. Apple was one of the first to do this for its customers when it started encrypting the messages between iCloud users. The drawback is, (and you knew one must be coming), the encryption only works between iCloud users. When you send a message, using the Messages app in iOS, to your friend who uses a smart phone that runs a different mobile operating system, such as Android, the message is a plain, unencrypted text message.

Which brings us to the other mobile apps that will help us communicate securely. There are a lot of them out there, but two that we would like to mention are Signal and Whatsapp. Many, many people use these apps daily to communicate securely and if you communicate with people who use a variety of mobile devices you should too. Some of these apps will even let you make encrypted phone calls, which is a big plus. There is also another kind of solution.

VPNs

One of the other ways to secure your communications is to use a Virtual Private Network (VPN). Many of us, like me, are used to being able to take our laptops down to the local coffee shop, or with us when we travel, connect to any ‘ole Wi-Fi, and then keep doing what we always do on the internet. What you may not be aware of however, is that unlike our home Wi-Fi networks which are encrypted, open, public Wi-Fi that we get at coffee shops, libraries, airports, etc., are not encrypted.  Anything done on those wireless networks can be intercepted by nefarious people. A good rule of thumb is, if you don’t have to enter a passphrase to connect to the wireless, it is not secure.

So how do you secure wireless?  I’m glad you asked! It is secured by using a VPN. As with the encryption methods for E-Mail and messaging, there are a variety of VPN providers out there that do not cost a lot of money. An individual or organization should research and decide which one is best for their respective needs.  It is not recommended to use a free VPN provider. Free VPN providers can be iffy because they get much of their funding via pushing ads to their users. One way they do that is by tracking what you do, which kind of defeats the purpose of using a VPN in the first place.

Returning to how a VPN can protect your communications, we could go into a lot of detail about what a VPN does, but we will keep it simple instead. Unlike the secure solutions above, which are very specific, a VPN works by creating a tunnel between you and a remote server. This tunnel is encrypted, which means that everything you send through it is protected from eavesdropping. This can be especially useful if you are working at the aforementioned coffee shop or airport.

Summary

All the information included in this blog is really our way of getting you to think about how, and who, you are communicating with on the internet, and what data you are sending. The bad guys are out there, and they are always watching and trying to get anything they can. If you are planning a birthday party for your best friend or sending your bank information to your CPA at tax time, do it securely. Do not make it easy for the bad guys!

Author Bio

Michael with his foster pit bull, Toby.

Michael Allbritton is a Cybersecurity Analyst and Trainer with Alpine Security. He holds several security-related certifications, including Certified Information Systems Security Professional (CISSP), Network+, Security+ and CyberSec First Responder (CFR). Michael has many years of experience in software testing, professional services, and project management.  He is equally comfortable working with software engineers on testing and design and with sales to meet and manage customer expectations. Michael’s cybersecurity experience with Alpine includes penetration testing, vulnerability assessments, and social engineering engagements for various clients as well as teaching courses for the above-mentioned certifications.

In his spare time Michael is an enthusiastic amateur photographer, diver, and world traveler. He has photographed wildlife and landscapes in the United States, Africa, Central America, West, and East Europe and has amassed several hundred dives as a PADI Divemaster.

sqlmap: Sucking Your Whole Database Through a Tiny Little Straw

Before getting into cybersecurity, I was a software developer for many years.  Although I had heard about security vulnerabilities introduced to software via poor coding practices, I, like many of my colleagues, did not take security all that seriously.  Hacking seemed like an arcane art, only mastered by those willing to spend years pouring over dusty tomes of x86 assembly language manuals and protocol RFCs.  It did not occur to us that many of the vulnerabilities could be exploited by anyone with basic web development coding skills and the willingness to spend a few hours on research.

One of these mysterious incantations was the dreaded “SQL Injection” attack.  What exactly could one do with a SQL Injection attack, anyway?  No one was quite sure, but since our software was going into a secure military installation, we were pretty sure that the perimeter defenses would prevent anyone from harming it.

SQL Injection is a vulnerability that is introduced when software developers do not check data entered by users for validity and suitability to purpose.  A malicious user can enter unexpected special characters to modify the structure of a SQL query.  This can happen when the developer pastes together pieces of a query with “unsanitized” user input.  The unsanitized input contains special characters that modify the structure of the query before it is passed to the query parser.

For example, consider a query in a PHP snippet that tests whether a user entering credentials at a login page is a valid user in the database:

$username = $_GET[‘username’];

$password = $_GET[‘password’];

$sql = “select USER_ID from USERS where USERNAME=’$username’ and PASSWORD=’$password’;”;

In this example, the variables username and password are retrieved from the HTTP POST that was submitted by the user.  The strings are taken as-is and inserted, via string interpolation, into the query string.  Since no validation is done on the input, the user can enter characters that will modify the structure of the query.  For example, if the user enters ‘ or 1=1; # for the username, and nothing for the password, the variable sql will now equal:

$sql = “select USER_ID from USERS where USERNAME=’’ or 1=1; #’ and PASSWORD=’$password’;”

In the MySQL database engine, the “#” sign is a comment, so everything that comes after it is ignored in the query.  There are no users with a blank username, but the condition “1=1” is always true, so the query will always succeed, returning all user IDs in the database.  The subsequent code will likely only check that at least one record was returned, and it will likely grab just the first ID, which in most cases, will be that of the administrative user.

Doing SQL injection manually requires a fair bit of knowledge of how SQL works.  On top of that, there are many different SQL engines, each with slight variations in syntax, such as PostgreSQL, MySQL, Microsoft SQL Server, Oracle, IBM DB2, and others.  SQL Injection “cheat sheets” can help pentesters figure out the required syntax for testing a web application, but SQL Injection is still a very time-consuming attack to carry out.

Enter sqlmap.  sqlmap is a program that automates tests for SQL Injection.  Not only does it work with many different SQL engines, when used against vulnerable applications, it can:

• Determine the schema of the database: database, table, and column names

• Dump data from tables

• Potentially upload or download files to the database server machine

• Perform out-of-band tests

• Dump usernames, password hashes, privileges, and roles

• Pass hashes off to a password cracker for a dictionary attack

• Perform “Blind” and “Boolean-based” SQL injection attacks, when the web application does not return error messages (this is probably sqlmap’s best time-saving feature. Performing these attacks by hand is almost completely untenable)

• Potentially even launch a remote shell on the database server

Let’s perform a demo attack against the Mutillidae intentionally-vulnerable web application as it is hosted on the OWASP Broken Web Application virtual machine.  We will launch an attack against Mutillidae’s login page.

Multillidae Login Page

sqlmap has many command line parameters, but we are going to set up the attack the easy way.  The first thing we must do is to set FireFox’s proxy to run through Burp Community Edition running on localhost on port 8080.  Then, we are going to enter a bogus login and password, such as admin / canary.  We capture the request in Burp before it goes to the server, as shown below.

Capturing the HTTP POST Request for the Mutillidae Login (Bottom Pane)

Copying the POST request from the bottom pane, we save the request to a text file.  In this case, the file is called mutillidae-req.txt, as shown below.

Saving the POST request

We can then run sqlmap using the text file by passing it with the “-r” command line parameter.  We also pass “-p username” to give it the name of the parameter we would like to attack.

sqlmap -r mutillidae-req.txt -p username

The first command will do some enumeration of the database to tell us that the database engine is MySQL 5.0 or above.

sqlmap Running

Database Identified as MySQL

Once we have the database engine, we can run sqlmap again, telling it what the engine is, so it does not have to guess again.  Also, we will ask sqlmap to get a list of databases on the server by using the following command:

sqlmap -r mutillidae-req.txt -p username --dbms mysql --dbs

Enumerating the Databases on the Database Server

Looking at the results, we notice that there is a database called wordpress that we would like to attack.  The WordPress blogging platform can be abused to allow an attacker to install malicious PHP code, as long as the attacker has the administrative credentials.  Running sqlmap again, we ask it to enumerate the tables in the wordpress database using the following command:

sqlmap -r mutillide-req.txt -p username --dbms mysql -D wordpress --tables

Below, we can see the results of the WordPress database’s table enumeration.

WordPress Database Table Enumeration

The most interesting table appears to be the wp_users table.  We will ask sqlmap to dump the contents of the table with the following command:

sqlmap -r mutillidae-req.txt -p username --dbms mysql -D wordpress -T wp_users --dump

sqlmap Dumps the wp_user Table

sqlmap runs, and as a bonus, it asks us if we want to save credentials that we have found, and if we would like to attempt to crack any password hashes with a dictionary attack.  Why YES, please DO!  :D

sqlmap Asks if We’d Like to Crack Passwords

When we take the defaults, sqlmap runs a dictionary attack with its default dictionary of about 1.4 million passwords.  We could also have chosen our own dictionary.  In short order, sqlmap recovers passwords for two WordPress users: admin (daniel1984) and user (zealot777).

sqlmap Cracks the WordPress Passwords

Once we have the admin password, we login to the WordPress admin page using the credentials admin / daniel1984.

Logging in to the WordPress Admin Page

Logged in to the WordPress Admin Page

Once logged in as admin, we can modify the searchform.php page for the default theme, as shown in the screenshots below.

Editing the searchform.php File in the WordPress Default Theme

We replace the searchform.php code with that of the excellent b374k Web Shell.

searchform.php Page Code Replaced by Malicious b374k Web Shell Code

Once we have replaced the searchform.php code with the web shell code, we can simply browse to the searchform.php file directly with the following URL:

http://192.168.115.128/wordpress/wp-content/themes/default/searchform.php

The b374k web shell page is displayed, and we login with the password provided when we created the b374k PHP file.

Logging in to the b374k Web Shell

Once logged in, we are presented with the File Explorer page.  We can browse to any page that the web server has permissions to read, and we can inspect its contents.

b374K Web Shell File Explorer

Here, we view the /etc/passwd file.

Using B374k to View the /etc/passwd File

We can do many other things with b374k, such as create a remote shell from the victim web server back to our attacking computer, as shown in the following screenshot:

Using b374k to Create a Remote Shell

As you can see, sqlmap is an incredibly useful tool to demonstrate to web developers and project managers alike that SQL Injection is indeed a serious vulnerability, one that deserves their full attention.  SQL Injection can lead to complete system compromise.  I am often told after a demo of sqlmap that it is “the scariest thing you have shown us yet”.

Learn more about sqlmap and other hacking tools in one of our Penetration Testing Courses.

Doc Sewell in Dandong, China, across the Yalu River from Shinuiju, North Korea

Author Bio

Daniel "Doc" Sewell is CTO and Trainer for Alpine Security. He currently holds many security-related certifications, including EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (Master), Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP). Doc has many years of experience in software development, working on web interfaces, database applications, thick-client GUIs, battlefield simulation software, automated aircraft scheduling systems, embedded systems, and multi-threaded CPU and GPU applications. Doc's cybersecurity experience includes penetration testing a fighter jet embedded system, penetration testing medical lab devices, creating phishing emails and fake web sites for social engineering engagements, and teaching security courses to world-renowned organizations such as Lockheed Martin and the Hong Kong Police Department. Doc's hobbies and interests include home networking, operating systems, computer gaming, reading, movie watching, and traveling.